Creeping Control…

This is a tale of three ISPs, two governments and one LEA: T-Mobile, Vodaphone, and Virgin Media, the UK and Australia, and SOCA.

A couple of days ago, T-Mobile (I was using a dongle attached to a netbook in a car park far from home) blocked my unequivocal access to an article on James Firth’s blog. You can read my comments at the time here (T-Mobile blocks ‘Slightly Right of Centre’), and T-Mobile’s policy here (Content lock). I don’t think there is anything sinister in this. But I don’t think T-Mobile’s system is anywhere near as advanced as it claims. And I am offended by its behaviour, and will exercise my right to go elsewhere in future.

Two days ago the No DPI blog published an article describing the discovery that Vodafone is using a Blue Coat web filter. No DPI is a bit upset at this, and you can read the post here (Vodastalk; Vodafone and Bluecoat Stalking Subscribers). I asked Blue Coat’s Nigel Hawthorn, VP EMEA Marketing, to explain for me.

Nigel Hawthorn, VP EMEA Marketing, Blue Coat

“Around 2005, Vodafone was concerned that children might access inappropriate content on their mobile phones, and the blame for this access could fall on Vodafone,” he told me. “So, as a measure of corporate responsibility they felt that even though parents and guardians are responsible for children’s Internet access at home, a mobile phone operator bears some responsibility when minors are using mobile phones. Of course, from a public opinion point of view, they also didn’t want a ‘Johnny’s accessing Playboy in the playground and it’s all Vodafone’s fault’ in the press. So, they looked at various options and deployed the Blue Coat WebFilter in their network.” Blue Coat actually announced this back in 2006 (Blue Coat Provides Mobile Operators with Web Filtering, Anti-Virus, Web Acceleration and Services Platform), which is important. It demonstrates that there was no attempt to do anything secretively.

“Vodafone split users into two categories: ‘children’ and ‘adults’,” he continued. It blocks various adult categories from phones that are owned by children. But “the next step was that Vodafone decided to be even more careful and consider that any phone that is owned by someone who they are unsure is a child or adult is considered a child until the owner contacts Vodafone and confirms that they are an adult.” Which seems to be exactly the same policy as that used by T-Mobile.

I asked Nigel to take me through the technology. “What happens technically,” he explained, “is that Vodafone has ProxySG devices installed in its network running Blue Coat WebFilter. WebFilter is doing the same job as it does for large enterprises – it just categorises websites. The actual policy about what is blocked or allowed is set by Vodafone. I believe that more than 99% of web requests are categorised by the WebFilter systems installed in the Vodafone network. However, if a person surfs to a previously unknown site, the ProxySG asks the cloud-based WebPulse service to check out that site. WebPulse then surfs to that page on behalf of the user and performs its various functions to try to ascertain the content categories that are appropriate (a single page can be in up to four categories).”

I had only one further question: does Vodafone send Blue Coat any user-identifiable information? “No. All we ever see is the URL, and the IP address of the ProxySG server – nothing about the individual user; and nothing else.”

Once again, I can see nothing sinister about this. In fact, even less than T-Mobile’s system, since in this case Vodafone is using an independent 3rd-party to categorise the web pages rather than imposing its own prejudices.

A week ago, Virgin Media broke the news that it had written to 1500 customers to tell them they were probably infected with the SpyEye trojan. This is an altogether different kettle of fish since it isolated the ‘infected’ users with the help of the Serious Organised Crime Agency (SOCA); and despite very common praise for VM’s proactive attitude towards the security of its customers, I believe that this deserves closer examination. My understanding is that SOCA monitors known SpyEye control servers. IP addresses that connect to or are contacted by these servers are likely to be infected PCs. So it effectively gave those IP addresses to VM, who said yes, this 1500 are our customers and we’ll write to them.

But this leaves me with several questions. Why has this service been given to VM only? If it was offered to the other ISPs, why didn’t they take it? Why did VM go with a law enforcement agency rather than doing it themselves or employing a third-party security specialist (like Vodafone and Blue Coat)? For example, VM could have freely used the list of SpyEye servers maintained by SpyEye Tracker.

SpyEye Tracker: monitors known SpyEye control servers

Other questions are why write to the customers rather than email or telephone? Given the nature of SpyEye, that minimum of a 24-hour delay could be catastrophic for the infected users. And what if the user was a tenant in a building with an absentee landlord? The registered user might be in a different country to the actual user – and again, the delay in getting the message could be catastrophic. All in all, it doesn’t quite seem to add up.

And that brings us specifically to SOCA. SOCA is the law enforcement agency that lobbied Nominet to agree to take down UK websites that SOCA declared to be illegal. Without the need for judicial oversight. And now take a step further back to the UK Home Office, the Ministry in charge of the UK law enforcement agencies. This month the Home Office published its ‘Prevent Strategy’ (my comments: So you thought this Coalition was less draconian than New labour? Think again). It includes

We want to explore the potential for violent and unlawful URL lists to be voluntarily incorporated into independent national blocking lists…

Note that word ‘voluntarily’. In politic-speak, that means ‘without our need to get a court order’. So, put bluntly, the Home Office and SOCA are set on a course of obtaining extra-judicial control of the internet without the need for either parliamentary debate or a court order. By partnering with one of the UK’s major ISPs, that idea of SOCA and ISPs working together for the good of the people is almost subliminally injected into our subconscious. But the truth of the matter is that it is more like a form of creeping control.

Now let’s look at the final part of our story: Australia. Australia has succeeded in implementing the Home Office plan.

Starting next month, the vast majority of Australia’s Internet users will find their access censored, following a decision by the country’s two largest providers–Telstra and Optus–as well as two smaller ISPs (itExtreme and Webshield), to voluntarily block more than 500 websites from view.
EFF: Australia Heads Down the Slippery Slope, Authorizes ISPs to Filter

EFF then enumerates four reasons we should worry about this:

there is no transparency in the selection of URLs to be blacklisted, and no accountability from the regulatory bodies creating the blacklists

filtering does little to curb the trade of child pornography, much of which is traded across peer-to-peer networks and VPNs. Filtering it from the world wide web may simply push it further underground

there appears to be no appeals process in the Australian ISPs’ scheme, thereby making it difficult for sites erroneously caught up in the filter to challenge the block

the introduction of a filter sets precedent for the ISPs to filter more sites in the future at the behest of the Australian Communications and Media Authority. If the ACMA were to make the decision that sites deemed “indecent” or politically controversial–for example–should be off-limits, would the ISPs comply?

This is where we are heading in the UK, and that’s why we should worry about this relationship between SOCA and Virgin Media. I cannot prove an ‘evil partnership’ between the two; but in the EFF’s words, ‘it sets precedent’ for ISPs to get more and more involved in ‘voluntary’ blocking. What I do know is that SOCA and the Home Office would like control of the internet without judicial oversight; and that this relationship between SOCA and Virgin Media will make that all the more likely. I would be much happier if the ISPs do their filtering individually and without law enforcement or government input: T-Mobile’s Content Lock and Vodafone’s Blue Coat are infinitely better than Virgin Media’s SOCA.